Author: Fabian Greffrath <fabian+debian@greffrath.com>
Description: Fix a stack corruption while trying to verify integrity
 of a fuzzed file. Thanks again, Jakub Wilk.
Bug-Debian: https://bugs.debian.org/775134

--- a/source/base/all/uninorm/uninorm.c
+++ b/source/base/all/uninorm/uninorm.c
@@ -36,6 +36,9 @@ INT BASE_UNINORM_CP850ToUTF8NFC(UCHAR *c
    UINT Unicode[BASE_LFN_MAXLEN+1], Normalized[BASE_LFN_MAXLEN+1], *destptr = Unicode;
    UCHAR *srcptr = cp850String, *resultstr = cp850String;
 
+   if ((UINT) len >= BASE_LFN_MAXLEN)
+     len = BASE_LFN_MAXLEN - 1;
+
    srcptr[len] = 0;
    /* First, convert that DOS CP850 encoded String to Unicode */
    while (*srcptr)
@@ -48,6 +51,7 @@ INT BASE_UNINORM_CP850ToUTF8NFC(UCHAR *c
    /* Then normalize and return UTF-8 encoded in place of the input string */
    normalize_nfc(Normalized, Unicode);
    encode_utf8(resultstr, Normalized);
+   resultstr[len] = 0;
 
    
    return strlen(resultstr);
--- a/source/base/all/uninorm/unincore.c
+++ b/source/base/all/uninorm/unincore.c
@@ -17,6 +17,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include "base/all/includes.h" /* BASE_LFN_MAXLEN */
 #include "unidata.h"
 
 /* Hangul constants */
@@ -33,7 +34,7 @@
 
 /* convenience null */
 #define null 0
-#define MAX_FILENAME_SIZE 2048
+#define MAX_FILENAME_SIZE BASE_LFN_MAXLEN
 
 
 /**
@@ -367,7 +368,7 @@ void canonical_decomposition(uint *buf,
     uint temp[MAX_FILENAME_SIZE];
     temp[0] = null;
 
-    for (i = 0; i < length; ++i)
+    for (i = 0; i < length && pos < MAX_FILENAME_SIZE; ++i)
     {
         decompose_recursive(temp, str[i]);
         len = istrlen(temp);
@@ -458,7 +459,7 @@ void encode_utf8(char *buf, uint *str)
     int i, j = 0;
     int len = istrlen(str);
 
-    for (i = 0; i < len; ++i)
+    for (i = 0; i < len && j < MAX_FILENAME_SIZE; ++i)
     {
         uint c = str[i];
 
